How Not To Be a Phish
By Ryan Coyle
Give a person a fish and you feed him for a day. Teach a person to fish and you feed him for a lifetime. Teach a person how to identify phishing attacks and he/she will save him/herself and his/her company loads of embarrassment and fines. Perhaps that is not exactly how you remember the proverb but it rings true. Trout season just began, but phishing season is year round!
What is Phishing?
Phishing is the fraudulent practice of sending emails purporting to be from legitimate companies in order to induce individuals to reveal sensitive information. Unfortunately, phishing is on the rise. Hackers have found that hacking computer systems is hard, hacking people however, is much easier. Operating system vendors (e.g. Apple and Microsoft) and application developers regularly patch their systems to guard against hacker attacks, but the same cannot be said of people. The same attacks and tricks that have been fooling people for centuries, continue to work on people today. While the medium has changed, as most people don’t invite strange wooden horses they don’t know into their homes, we still let curiosity get the best of us. Remember, the best way to break into Fort Knox is not to try and drill through the walls, but instead to convince the guard to let you in.
A Sample Phishing Scheme
The great security breaches that you read about in today’s headlines, many times are not the result of some evil denizens in some dark basement launching a massive coding onslaught, but something like this:
A simple innocuous looking email that directs you to click on a link so your account can remain active. That click will either direct you to enter in some personal information, or worse yet, direct you to an infected website which will install some sort of malware on your computer.
So how do we stay safe? How do you tell what’s legit and what’s not?
Here are some hints to keep yourself safe:
- Develop your “spy-dy” sense – The most powerful tool you have to defend yourself against attacks like this is your own intuition. Be skeptical. Don’t take things at face value. This doesn’t necessarily mean that you need to put on a tin-foil hat before you check your email, but if you didn’t ask for it and it just shows up, be suspicious. This includes items from friends and family. Our natural defenses are typically much lower when we’re interacting with people we trust. Hackers know this too and exploit this by trying to send emails as friends and family.
- Bad Grammar - English is hard. I’m sure we all know some native speakers who struggle with it at times, myself included. The good news for us is that this makes spotting phishing messages much easier. Many of these types of messages originate from non-native English speaking countries. Bad grammar should be an automatic red flag for a potential phishing message.
- Don’t underestimate your own worth – One item that I see quite a bit is that people undervalue their own personal worth. Without going all Stuart Smalley on people, to hackers, you’re worth more than the sum of your bank statements. Your connections to other people are just as valuable as or more valuable than what can be had from your own accounts. Keeping yourself safe and practicing safe Internet usage is as much about protecting yourself as it is about protecting your friends and family.
- Hover over links before clicking on them –
What’s the difference between these two links? Here’s a hint, it’s not the picture.
Here’s another example:
One will take you to gluten free cookies, the other, not so much.
Tax time and phishing
We all need to pay our debt to society. We know that and faithfully complete the appropriate IRS forms year after year. Adding insult to injury, phishing scams increase during tax season. As such, the IRS produces an annual list of the Dirty Dozen Tax Scams. Here is a version of the list, minus some IRS jargon.
Last but not least, could this be a phishing scheme?
Hovering over hyperlinks and images will display the source of the image or be a cover to a malicious link. Look for disconnects between what you think you’re clicking on, and what you’re actually clicking on. Be very careful with this, as hackers will sometimes embed somewhat legitimate URLs with their own. For example, if the URL is supposed to take you to the Ebay login page, and instead it looks like this: http://www.ebay.com/login/redir?=www.getmyvirus.com/hahasucker.vbs
You should probably avoid it, even if it has the EBay domain built into it.
If you’re not sure, don’t click!
Pick up the phone and call someone. Don’t rely on contact information in a suspected phishing email. The number noted may be compromised or redirected to a number that the hacker is using. If it’s your bank or credit card, call the number on your credit or debit card. If it’s some other company, go directly to that company’s website to get the information (or heaven forbid, look it up in that weird yellow book you use for a monitor stand).